Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

Discussion in 'Mac Blog Discussion' started by MacRumors, Sep 5, 2018.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

    In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app - like a PDF in Preview, for example - and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.


    The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
    In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

    This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.


    The standard defenses built into macOS - Gatekeeper, for example - are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

    Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

    Article Link: Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes
  2. Kebabselector macrumors 68030


    May 25, 2007
    Birmingham, UK
    Surely this should be the default position for any user regardless of the exploit or not.
  3. jel888 macrumors newbie


    Jan 17, 2018
    So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?
  4. maflynn Moderator


    Staff Member

    May 3, 2009
    Yikes, that's scary stuff - I had to check to make sure Safari doesn't automatically open "safe" items.
  5. ArtOfWarfare macrumors G3


    Nov 26, 2007
    I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

    It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

    It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.
  6. NaOH macrumors newbie

    Sep 25, 2003
    London, United Kingdom
    There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

    Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

    Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
  7. jel888 macrumors newbie


    Jan 17, 2018

    Thanks! I'm using Malwarebytes (which Apple actually uses when checking thinks, at least their tech did a few times when I've called) and also Bitdefender (really like and they have an extensive library I think even for Mac), but I definitely agree with you that we tend to ignore the kind of warnings you mentioned about verified certificates.

    Bitdefender recently made what I think is a major improvement in it's notifications. It tells me that an app is trying to write something and whether the app i certified, Apple approved, previous was and now isn't, etc. It really gives me "context" in which to have a basis for deciding whether I want to allow the app to take action or not. I'm not saying this to recommend it or not, but glad that they went in this direction to give a maximum of informations to help the user take action.
  8. NaOH macrumors newbie

    Sep 25, 2003
    London, United Kingdom
    Yeah, I think something went weird when I tried to reply the first time.
    My proper reply seems to be further down the page.
  9. twistedpixel8 macrumors 6502


    Jun 9, 2017
    It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
  10. Justanotherfanboy macrumors 6502


    Jul 3, 2018
    His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
    Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
  11. MrGimper macrumors 603


    Sep 22, 2012
    Andover, UK
    I only came here to doff my cap for the use of the word "hoodwinks"
  12. thisisnotmyname macrumors 68000


    Oct 22, 2014
    known but velocity indeterminate
    Some are based upon signatures, others based upon heuristics. Heuristic based anti-virus can catch previously unknown viruses.
  13. Porco macrumors 68030


    Mar 28, 2005
    I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
  14. HBX macrumors member


    Sep 16, 2014
    Portland, Oregon
    Meh, never used Safari, never will. Opera is great on MacOS.
  15. iapplelove macrumors 601


    Nov 22, 2011
    East Coast USA
    Mine was checked. Now it’s not.

  16. Darmok N Jalad macrumors 68000

    Darmok N Jalad

    Sep 26, 2017
    Thanks for the news. I disabled it for both users on the iMac.

    Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.
  17. NaOH macrumors newbie

    Sep 25, 2003
    London, United Kingdom
    Come to think of it. Opera is my current go-to browser for downloading stuff. Mainly because it lets me set the default download behaviour to ask me which folder to save the download in.

    Safari doesn't let me do that without right-clicking/option-clicking on the download link. I guess that's down to Apple's insistence that people shouldn't need to have a folder structure.
  18. luvbug macrumors regular


    Aug 11, 2017
    Similar to the Mail preference to "Prohibit loading remote content", I always have the "Automatically open safe files" turned off. This is an area where I think Apple should have an install-time option to select among a couple security-level profiles like "I'm lazy" (wide open), "Convenience" (middling), and "Protect and defend" (reasonably strict).
  19. NaOH macrumors newbie

    Sep 25, 2003
    London, United Kingdom
    Indeed. A zip file could contain anything.
  20. coolfactor macrumors 601

    Jul 29, 2002
    Vancouver, BC CANADA
    You nailed it. Zip files should not be on the list of "safe" files!
  21. justperry macrumors G3


    Aug 10, 2007
    In the core of a black hole.
    Don't forget RAR files.
  22. CarlJ macrumors 68030


    Feb 23, 2004
    San Diego, CA, USA
    TIL there are people who have the option for this enabled?!? First thing I turned off when it first appeared. Zip files will open when I decide and not before, TYVM.
  23. thespyder macrumors newbie

    Jun 22, 2009
    Bris Vegas, Australia
    I'm not convinced it's that bad. At one point the article admits it's only older versions of safari:
    Safari 11 is distributed as an update to that OS, although 12 won't be, but (imo) most users will be running an updated Safari. We're really only talking about the percentage of the user base who never runs software update and they likely have easier-to-exploit security vulnerabilities than this.

    He's sort of right about gatekeeper, I'm not familiar with how long Apple takes to revoke malicious developer certificates, but now we're talking about the percentage of users who both don't run the latest Safari and accept all prompts put in front of them.

    I'm a software developer so I'm clearly biased but most mac users I know wouldn't be infected by this attack.

Share This Page

22 September 5, 2018